It was reported to secalert that the autofs defaults do not set the nodev NFS option. bug 410031 notes the missing nosuid option by default for the /net autofs filesystems, the fix for that issue did not take into account that there was also a missing nodev option for these filesystems. Without the nodev option, it is possible for an attacker to mount a remote filesystem which could give them access to various devices that should normally have restricted access, such as /dev/mem, and various hardware devices. Acknowledgements: Red Hat would like to thank Tim Baum for reporting this issue.
Lifting embargo.
Fixed now in affected version of Red Hat Enterprise Linux: https://rhn.redhat.com/errata/RHSA-2007-1176.html https://rhn.redhat.com/errata/RHSA-2007-1177.html
Updates now available also in stable Fedora repositories: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4709 https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4707